> That arpwatch notice just shows that there was a packet from an IP address > that hadn't been seen before. What makes you think it's a spoofing attempt?
The newly advertised IP used the same mac as the default gateway. > Something like this might be seen if e.g. a new IP address was added on the > default gateway router. This would be the most "comforting" rationale though I would expect my hosting provider to be more forthcoming about an infrastructure change. Additionally, traffic was observed via TCP80 and TCP443 testing the configuration of HTTP and TLS protocols. Leading me to believe the IP was not benign. > A tcpdump from the same time that the arpwatch notice was triggered might give > a clearer picture. Without knowing more about the network config I couldn't > say for sure, but it's quite possible that the hosting provider does protect > against arp shenanigans. Agreed that tcpdump would be useful though I would expect arpwatch to be just as reliable. I have no doubt my hosting provider has certain protections in place. I've been a customer for a number of months with this being the first alert. Thanks, Paul
